• Eric Biggers's avatar
    llc: fix sk_buff leak in llc_conn_service() · b74555de
    Eric Biggers authored
    syzbot reported:
    
        BUG: memory leak
        unreferenced object 0xffff88811eb3de00 (size 224):
           comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s)
           hex dump (first 32 bytes):
             00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
             00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff  ..8$............
           backtrace:
             [<000000008d1c66a1>] kmemleak_alloc_recursive  include/linux/kmemleak.h:55 [inline]
             [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline]
             [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline]
             [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
             [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
             [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline]
             [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54
             [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140  net/llc/llc_c_ac.c:777
             [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475  [inline]
             [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline]
             [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640  net/llc/llc_conn.c:75
             [<00000000f27e53c1>] llc_establish_connection+0x110/0x170  net/llc/llc_if.c:109
             [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477
             [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840
             [...]
    
    The bug is that most callers of llc_conn_send_pdu() assume it consumes a
    reference to the skb, when actually due to commit b85ab56c ("llc:
    properly handle dev_queue_xmit() return value") it doesn't.
    
    Revert most of that commit, and instead make the few places that need
    llc_conn_send_pdu() to *not* consume a reference call skb_get() before.
    
    Fixes: b85ab56c ("llc: properly handle dev_queue_xmit() return value")
    Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com
    Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
    b74555de
llc_conn.h 4.06 KB